COMMAND
QuickTime/Darwin Streaming Administration Server Multiple
vulnerabilities
SYSTEMS AFFECTED
Application: Darwin Streaming Server 4.1.2
QuickTime Streaming Server 4.1.1
PROBLEM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: QuickTime/Darwin Streaming Administration
Server Multiple vulnerabilities
Release Date: 03-24-2003
Application: Darwin Streaming Server 4.1.2
QuickTime Streaming Server 4.1.1
Platform: MacOS X, Linux, Solaris, Windows
Severity: Remote Command Execution / Privilege Escalation
Arbitrary Directory Listings / Cross Site
Scripting x2
Physical Path Revelation / Buffer Overflow
Authors: Dave G. <daveg@atstake.com>
Ollie Whitehouse <ollie@atstake.com>
Vendor Status: Vendor has software update
CVE Candidate: CAN-2003-0050,51,52,53,54,55
Reference: www.atstake.com/research/advisories/2003/a032403-1.txt
Overview:
Apple Darwin and QuickTime Streaming Administration Servers are web
based services that allow administrators to manage the Darwin and
QuickTime Streaming Servers. By default, these servers run as root on
port 1220/tcp.
There is a remote pre-authentication remote command execution condition
within this service. Any attacker with a web browser and access to the
service can execute commands on the underlying operating system.
Certain versions of the Darwin Streaming Administration Server restrict
this attack, allowing an attacker to execute a command, but without
additional command line arguments.
Additionally, a number of other vulnerabilities can be used to:
a) Reveal the physical path
b) Retrieve arbitrary directory listings outside of the web root
c) Initiate cross-site scripting attacks
d) Local privilege escalation through a buffer overflow
Details:
1) Arbitrary Command Execution
The Darwin Streaming Administration Server relies on the parse_xml.cgi
application to authenticate and interface with the user. This CGI is
written in PERL and passes unvalidated input to the open() function.
The open() function will execute commands when the pipe '|' characters
are inserted into the input.
The call in question takes input from a parameter passed in through a
GET request to the CGI. The QuickTime Streaming Server is vulnerable to
this attack. Newer versions of the Darwin Administration Server added a
check to determine the existence of the template file (the -e
function). While this check does provide protection, there is a well
known technique to partially bypass(*) it. By inserting a NULL (0x00)
between the last character of the command and the pipe, an attacker can
pass the file existence check, and execute a command. This request will
pass the file existence check. However, attackers cannot add additional
command line parameters. While this does limit the ability of the
attacker to take full control of the operating system, there are
several situations where this vulnerability still presents a risk:
a) If an attacker can create arbitrary files and know its location.
b) If an attacker has a non-root account on the system, this
vulnerability can be used to obtain root privileges.
c) If an attacker can find an application on the system that can
reduce the security or availability of the system without
requiring additional command line arguments.
(*) "PERL CGI problems", Phrack 55, Article 7, rain.forest.puppy
2) Physical Path Revelation
In addition it is possible to cause the same CGI application to
revealthe physical path which the Darwin/QuickTime admin servers are
installed within by passing a NULL as the filename parameter.
3) Arbitrary Directory Listings
Parse_xml.cgi is also susceptible to arbitrary directory listings due
to the lack of user input validation within the application. It is
possible for an attacker to use the open() function to open the inode
of a directory as a file under UNIX operating systems to retrieve a
directory listing. Although it should be noted that to view the output
correctly in a web browser it may be required to view the source code
to the page in order to see the output returned.
4) Cross Site Scripting
There is a minor security vulnerability in the way that parse_xml.cgi
generates error messages when a filename which does not exist is passed
as the 'filename' parameter. This potentially opens the administrators
to the possibility of a cross site scripting attack.
This combined with the fact that the 'qtpassword' cookie is the
administrative username and password Base64 encoded provides an easy
method of gaining valid credentials to the site in question.
5) Cross Site Scripting - Round 2
There exists another cross site scripting issue which is more likely to
be exploited due to the manner by which it occurs. If an
unauthenticated user makes a request to port 7070, they can supply
scripting code as part of the argument to the rtsp DESCRIBE method.
This request is then written to the log file. When the logs are viewed
within the administrative interface, the code will execute in the
administrator's browser session.
6) Buffer Overflow in MP3 Broadcasting Module
There is a buffer overflow in the MP3 broadcasting module contained
within the streaming server. If you have an MP3 file which has filename
of over 256 bytes then a buffer overflow will occur.
Due to the fact that the streaming server by default runs as root (on
Unix) means that potentially it can be used by local/ftp users to
escalate privileges.
Update (01 March 2003)
======
Joe Testa, Rapid 7, Inc, says :
I've found two other issues in QuickTime Streaming Server v4.1.1 that
seem to be fixed in the newest v4.1.3:
1.) File probing:
Request: http://localhost:1220/parse_xml.cgi?filename=../nonexistent
Response: 'Can't access HTML file '../nonexistent'!' [...]
Request: http://localhost:1220/parse_xml.cgi?
filename=../../../autoexec.bat
Response: 'Can't open HTML file '../../../autoexec.bat'! [...]
As you can see, this discrepency in the error message allows an
unauthenticated user to "feel-out" the file system and determine what
structures and files exist.
2.) File retrieval:
Request: http://localhost:1220/parse_xml.cgi?filename=.../qtusers
Response: "realm Streaming Server admin:$dufr$D9/.....$C4g2VaRK" [...]
This works against the Win32 platform, and not against the Linux
platform; this was not tested against Solaris or MacOS X.
SOLUTION
Vendor Response:
Apple has an update for Mac OS X Server which addresses these issues.
The software update is available from the following locations:
Updating from Mac OS X Server 10.2.3:
http://www.info.apple.com/kbnum/n70171
Updating from Mac OS X Server 10.2, 10.2.1, or 10.2.2:
http://www.info.apple.com/kbnum/n70172
Recommendation:
You should apply the software update available from Apple. If this is
not possible it is recommended that this service not be Internet
accessible.
Credit:
Dave G. <daveg@atstake.com> is responsible for finding issue #1:
Arbitrary Command Execution.
Ollie Whitehouse <ollie@atstake.com> is responsible for finding
issues #2: Physical Path Revelation, #3: Arbitrary Directory
Listings, #4: Cross Site Scripting, #5 Cross Site Scripting -
Round 2, and #6 Buffer Overflow in MP3 brodcasting module.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0050 Arbitrary command execution in QuickTime Streaming
Server
CAN-2003-0051 Physical path revelation in QuickTime Streaming
Server
CAN-2003-0052 Directory listings in QuickTime Streaming Server
CAN-2003-0053 Login credentials in QuickTime Streaming Server
CAN-2003-0054 Arbitrary command execution when viewing QTSS logs
CAN-2003-0055 Buffer overflow in MP3 Broadcasting application
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive: http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2003 @stake, Inc. All rights reserved
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com
iQA/AwUBPlq77Ee9kNIfAm4yEQIPkACgtDX/wGwNMDGoSS3UTwTY2HDMDEoAoNm4
aVOYvQqDjdVRVanxgw9vVVED
=Kqfm
-----END PGP SIGNATURE-----